2) as a workaround, you could hide your replica behind a back-ldap,
because it can handle this on behalf of your client, if you're using
simple bind: create a proxy server with a back-ldap instance and add the
"rebind-as-user" directive; see slapd-ldap(5) for further details. Then
your client must access the proxy instead of the real replica.

Hm... I think having back-ldap & back-meta support SASL binds would be
useful. I had an application I couldn't support because they don't. The
general issue was there was a server on a VLAN that needed LDAP access. We
wanted to put a back-ldap server on the bridge, so the application could
talk to the back-ldap server, and the back-ldap server could talk to our
normal servers. Unfortunately, we couldn't make the back-ldap server
connect to our servers via SASL.